Most of our closest allies do not force telecos to retain everyone’s metadata for up to a year without oversight
Last week, when I appeared before the Standing Committee on Public Safety and National Security on Bill C-22, a question kept coming up from members on both sides of the table: how do other countries handle this? Do our closest allies require electronic service providers to retain the metadata of nearly everyone in the country for a lengthy period, without grounds or individualized suspicion, as the government is proposing to do here?
With one exception, no, the Five Eyes partners have not gone where Bill C-22 proposes to go.
The European experiment
For context, the European Union passed a similar law in 2006 and the European Court of Justice struck it down in 2014. In the Digital Rights Ireland case, the Court acknowledged the general interest in making sure that data is preserved to help investigate and prosecute serious crime, including terrorism. But it held the impact of bulk metadata retention on privacy to be “wide-ranging,” “serious,” and disproportionate. The data retained under the law was not limited to investigating “serious crime.” Police could access it without a warrant. And the periods of data retention bore no connection to the possible usefulness of the data for investigations.
The Australian exception
Shortly thereafter, Australia adopted a mandatory retention regime that reproduced many of the features that led to the European law being struck down. (Perhaps it did so in part because Australia lacks a constitutional bill of rights.)
Australia’s metadata law of 2015 requires telcos to retain subscriber metadata for two years. This includes call duration, location info, email addresses — and police can obtain all of it without a warrant. The government’s intention with the bill was to make metadata available to some 20 law enforcement agencies, but a Parliamentary report in 2020 found that over 80 agencies had gained access to it. Amendments in 2023 curbed the scope of access somewhat, but left the core of the regime — the retention period and warrantless access — intact.
The United Kingdom
The UK has a framework closer in nature to what Bill C-22 is proposing, but with important differences.
Under Part 4 of the UK’s Investigatory Powers Act 2016 , the Secretary of State may issue a “data retention notice” requiring a telecom provider to retain metadata for up to 12 months. But a Judicial Commissioner must approve the notice, by confirming it is necessary and proportionate in relation to one or more statutory purposes, such as national security, serious crime, or public safety.
Under Bill C-22, by contrast, the government can make a regulation that would require all “core providers” to retain metadata for up to a year with no judicial approval and no criteria to satisfy.
The United States
The US has no mandatory metadata retention regime. Under the Stored Communications Act , law enforcement can request that a provider “take all necessary steps to preserve records and other evidence in its possession,” pending a warrant. Preserved records are held for 90 days. Police can make this request without grounds, but to access the data, they need the form of legal process required for the records sought (a warrant in some cases, a subpoena in others).
This is close in nature to what we have in Canada: the preservation demand and order powers in the Criminal Code. Ours require reasonable suspicion for a retention demand lasting 21 days and a warrant on the same grounds for preservation up to 90 days.
Notably, in both Canada and the US, retention is targeted and limited to short periods. Neither country places a general retention burden on providers or generates a pool of data about people who are never investigated.
New Zealand
New Zealand has production orders and preservation directions under its Search and Surveillance Act 2012 similar to those in our Criminal Code, and it does not have an Australian-style bulk metadata retention scheme.
Why be an outlier?
Bill C-22 would put Canada closer to Australia, and further from the approach taken by three of its four closest intelligence partners.
As I’ve noted in my earlier posts on C-22’s metadata retention power, the government appears to assume that this won’t be held contrary to the Charter because an order to preserve metadata that police do not access is not a search or seizure. Merely creating a record of our movements, call duration, and so on for potential police use involves no interference with privacy. It’s only an interference when police access the data retained.
The question here for the courts will be: is it reasonable to expect that our movements in space and time, the coordinates of our calls, won’t be recorded by the state for a law enforcement purpose? Knowing that a record was being kept for this purpose, would a reasonable person feel like they were being surveilled?
The ECJ thought so in the Ireland case. The UK Court of Appeal thought so in 2018. Our own Parliament thought so in 2014 when it added preservation powers to the Code.
Why would we not assume the same is true today? ■
{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}